Re: encrypted password

On a side note, I don't believe you should be saving encrypted passwords in
your database. Rather you should be saving hash representations of passwords
of authenticated users that will be compared against user-submitted hashed
passwords. Reverse cryptography is then eliminated. If you have access, take
a look at how it is performed in Commerce Server 2002.

Admittedly, I have no knowledge of the software you are developing or why
you are developing it this way.

Good luck,
Davin Mickelson

"asad" <> wrote in message
news:077d01c3ab7f$b3a7a2d0$...
hi,

I am encountering problem while I am saving my Encrypted
password (as byte) in SQLSERVER2000 using
ASP.NET. Before saving to SQLSERVER on screen the
Encrypted password is as follow:

SY=

After saving to SQLSERVER 2000 its become as follow:

L?s

Following line are showing the part of ASP.NET source file
in order to save the Encrypted password
in SQLSERVER 2000

Advertisements

Yes, Good Point (Can't believe I didn't pick up on that -
I'm kind of trendy about security Lol).

Actually - Yes you should hash passwords and encrypt only
credit card data (or other secure data that you'll need
to retrieve later). Passwords are something you should
never need to access as clear text. If you have
a "retrieve your password" function for your end-users
(like sending them a copy of their lost password) - you
should really look at generating them a new password
after they confirm their birth day and other personal
info .. and then send it to their email on record.

You should salt the hash with a piece of data that is
unique to the user login such as their first login date -
or even better add a guid column and assign a guid on
account creation. - Hashing is good, but it's possible to
create a hash dictionary of common passwords and try to
find equal hash values. Salting the hashing will protect
the data from easy attacks like this.

Also - in terms of Asymmetric encryption, you should use
the Rhijdeal algorithm and not TDES as many experts will
point out.

>-----Original Message-----
>On a side note, I don't believe you should be saving
encrypted passwords in
>your database. Rather you should be saving hash
representations of passwords
>of authenticated users that will be compared against
user-submitted hashed
>passwords. Reverse cryptography is then eliminated. If
you have access, take
>a look at how it is performed in Commerce Server 2002.
>
>Admittedly, I have no knowledge of the software you are
developing or why
>you are developing it this way.
>
>Good luck,
>Davin Mickelson
>
>"asad" <> wrote in
message
>news:077d01c3ab7f$b3a7a2d0$...
>hi,
>
>
>
>I am encountering problem while I am saving my Encrypted
>password (as byte) in SQLSERVER2000 using
>ASP.NET. Before saving to SQLSERVER on screen the
>Encrypted password is as follow:
>
>SY=
>
>After saving to SQLSERVER 2000 its become as follow:
>
>
>L?s
>
>
>
>
>Following line are showing the part of ASP.NET source
file
>in order to save the Encrypted password
>in SQLSERVER 2000
>
>
>
>Dim encoder As New System.Text.UTF8Encoding()
>
>regsp.Parameters.Add(New SqlParameter("@userkey", _
>SqlDbType.VarChar, 50)).Value = encoder.GetString
>(Encrypted password in byes)
>
>
>
>Please help me!
>
>
>with regards,
>
>Asad
>
>
>
>
>
>
>
>
>.
>

Advertisements

They Key and IV that you'll need to generate for the
symmetric algorithm should not be stored as bytes in your
encrypt/decrypt functions .... rather you should print
them out, (or burn a file to CD) and store it somewhere
safe.

You should build a helper application to store the bytes
in the registry and encrypt the bytes using the DPAPI.
Then your app can read from the registry, decrypt the
bytes, and store in memory. Your functions would them get
the clear bytes from memory... Why do all this? because
your assembly can be easily rev-engineered.

Hope this helps.

>-----Original Message-----
>Yes, Good Point (Can't believe I didn't pick up on that -
>I'm kind of trendy about security Lol).
>
>Actually - Yes you should hash passwords and encrypt
only
>credit card data (or other secure data that you'll need
>to retrieve later). Passwords are something you should
>never need to access as clear text. If you have
>a "retrieve your password" function for your end-users
>(like sending them a copy of their lost password) - you
>should really look at generating them a new password
>after they confirm their birth day and other personal
>info .. and then send it to their email on record.
>
>You should salt the hash with a piece of data that is
>unique to the user login such as their first login date -
>or even better add a guid column and assign a guid on
>account creation. - Hashing is good, but it's possible
to
>create a hash dictionary of common passwords and try to
>find equal hash values. Salting the hashing will protect
>the data from easy attacks like this.
>
>Also - in terms of Asymmetric encryption, you should use
>the Rhijdeal algorithm and not TDES as many experts will
>point out.
>
>
>>-----Original Message-----
>>On a side note, I don't believe you should be saving
>encrypted passwords in
>>your database. Rather you should be saving hash
>representations of passwords
>>of authenticated users that will be compared against
>user-submitted hashed
>>passwords. Reverse cryptography is then eliminated. If
>you have access, take
>>a look at how it is performed in Commerce Server 2002.
>>
>>Admittedly, I have no knowledge of the software you are
>developing or why
>>you are developing it this way.
>>
>>Good luck,
>>Davin Mickelson
>>
>>"asad" <> wrote in
>message
>>news:077d01c3ab7f$b3a7a2d0$...
>>hi,
>>
>>
>>
>>I am encountering problem while I am saving my Encrypted
>>password (as byte) in SQLSERVER2000 using
>>ASP.NET. Before saving to SQLSERVER on screen the
>>Encrypted password is as follow:
>>
>>SY=
>>
>>After saving to SQLSERVER 2000 its become as follow:
>>
>>
>>L?s
>>
>>
>>
>>
>>Following line are showing the part of ASP.NET source
>file
>>in order to save the Encrypted password
>>in SQLSERVER 2000
>>
>>
>>
>>Dim encoder As New System.Text.UTF8Encoding()
>>
>>regsp.Parameters.Add(New SqlParameter("@userkey", _
>>SqlDbType.VarChar, 50)).Value = encoder.GetString
>>(Encrypted password in byes)
>>
>>
>>
>>Please help me!
>>
>>
>>with regards,
>>
>>Asad
>>
>>
>>
>>
>>
>>
>>
>>
>>.
>>
>.
>

Share This Page

Welcome to Velocity Reviews!

Welcome to the Velocity Reviews, the place to come for the latest tech news and reviews.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to chat with other enthusiasts and get tech help from other members.
Sign up now!